The following changes were made to this tutorial on October 13, 2018.
1. Now recommending Ubuntu 18.04 instead of Unbuntu 14.04. It appears that Google BBR now comes pre-installed with Unbuntu 18.04, so it makes the process much easier. I will leave the BBR installation instructions here in case Ubuntu 18.04 is not available with other VPS providers.
2. No longer recommending Vultr Tokyo location for China Telecom. The latency has become too high. The best locations for China Telecom these days are the US west coast ones (Los Angeles, Silicon Valley, etc).
3. Now recommending Vultr's new $3.50/month plan after IPv4 IP addresses were removed from the $2.50 plan.
Some of the images in this tutorial are from before the above changes were made.
ShadowsocksR is still working good in China, but the GFW has become much more effective in blocking it. You may need to create several instances until you get an IP address that is not blocked.
The best way to know if your IP address is blocked or not is to connect by SSH without using a VPN. If you can't connect by SSH without a VPN, then your Shadowsocks server will not work either.
Destroy the instance and make a new one.
Previously you could determine if your IP was blocked by sending a ping or traceroute command. The GFW is now more sophisticated and is blocking servers that still respond to pings and traceroutes.
The only way to know if your server is blocked or not without installing Shadowsocks first is to connect by SSH without a VPN connected.
For this reason, I highly recommend following this tutorial with your VPN off (I never thought I would say something like that, but this is a special case).
Some people think that you can avoid having your server blocked by using a certain settings. For example, by using ChaCha20-Poly1305 instead of chacha20 for the encryption. Or, by using auth_sha1_v4 instead of origin for the obfusication protocol.
The truth is that this doesn't seem to make any difference at all. If your sever gets blocked and then you use different settings, and it doesn't get blocked again, this is likely just a coincidence. Some servers can go years without ever being blocked, while others can get blocked within 1 day. It's very random, and there is not much you can do about it.
I think the GFW is blocking IPs based on traffic patterns, nothing to do with the protocol or obfuscation methods. I have heard reports of servers getting blocked with every kind of possible settings.
If you don't want to deal with the trouble of having your server IP blocked, I highly recommend using a reliable and fast commercial VPN service. Using a high performance VPN server works much better than Shadowsocks anyway.
A VPN connection will tunnel all of your traffic, whereas Shadowsocks leaks all over the place and is not compatible with all programs and protocols.
Most people are here because they are using an unstable and slow VPN service and looking for something faster.
There are a handful of premium VPN servers that still perform very well in China.
Check the 2018 VPN in China blog page for the latest speed test results from China using these high performance VPN servers.
With servers starting from $0.005 per hour ($3.50/month) and good routing to China Telecom, Vultr offers a good combination of price and speed. It's not the fastest server you can buy, but it does offer the best value for money in my opinion.
Vultr servers are always billed hourly. This is a very useful feature for 2 reasons.
1. If you mess something up and want to start over again, just destroy the VPS and make a new one. It will only cost you $0.01 if you destroy the VPS within the first 2 hours. This is a great way for beginners to learn to use Linux.
2. If your server gets blocked, you can just destroy it and make a new one. You won't lose money because you only pay for the amount of hours you use the server for.
Once you have used the server for 625 hours (~26 days), then you will pay the monthly price. If you destroy your server before 625 hours, then you will pay for the number of hours that you used. You will see both the monthly and hourly price when you choose your instance. This is not an option to choose, it is just showing you both prices.
Vultr offers a very generous bandwidth allowance that you will likely never go over. The smallest package for $3.50/month includes 500GB of data. The next package for $5/month includes 1TB of data. Note that the data allowance is pro-rated for the amount of hours if you use the server for less than 1 month.
Tip - If you go over this allowance, it's cheaper to shut down your instance and start a new one rather than paying the excess data fee (or upgrade to a higher price instance).
If this is your first time setting up a Shadowsocks server, then just stick with Vultr for now and follow this tutorial exactly to the letter.
After you learn the process of making a server using Vultr or if you are already familiar with Linux, you may want to consider some other providers for higher performance (if you are willing to spend more and take the risk of paying monthly/annually instead of hourly).
If you want to try other providers, make sure you choose Ubuntu 18.04 64 bit as the OS and KVM as the virtualization (if available).
Previously this tutorial did not work for OpenVZ virtualization because it is not possible to change the kernel to install BBR. However, now that BBR comes pre-installed on Ubuntu 18.04, this tutorial might work with Ubuntu 18.04 on OpenVZ virtualization (not sure, someone please confirm in the comments if you have tried it).
Rackspace Hong Kong has the best network for connections to mainland China. Direct peering to China Telecom (CN2), China Unicom, and China Mobile.
The only problem with Rackspace is that it's very expensive (over USD $50/month plus USD $0.20/GB).
If the cost is not a concern for you, I would be very interested to know how a shadowsocks server performs on Rackspace. If anyone has tried a cloud server on Rackspace Hong Kong, please let me know about it in the comments below.
The #2 alternative not actually a VPS provider, but rather a VPN company that hosting one of their servers on Rackspace Hong Kong. This is a much cheaper way to get access to a high performance Rackspace Hong Kong server.
The ExpressVPN Hong Kong 3 server is hosted on Rackspace!
Just sign up for ExpressVPN and connect to the Hong Kong 3 server.
Using the ExpressVPN links on this page will give you access to a special offer for an additional 3 months free when you purchase a 12 month subscription. You will get 15 months for the price of 12 months.
If you consider the cost of setting up your own premium China Telecom CN2 server in Hong Kong, paying $99 for 15 months of ExpressVPN is actually very cheap!
The Hong Kong 3 server is hidden away under the "All" section of the app. You won't find it in the "Recommended" section.
Hong Kong 3 was blocked in November/December last year, but it seems to be back and working better than ever! I have tested the speed of this server at various times over a 24 hour period on Feb 25-26, 2018. You can see the results below.
This server has ultra low latency (direct connection to China Telecom on premium CN2 network). Note the very low ping times of only 17-19 ms. The download speed is not too bad either!
I'm also running this server on a cheap 180 yuan router from Taobao that I use for video streaming. Check out my tutorial on this router here. This router can get around 20Mbps download speed on Hong Kong 3.
Here is the best part.
Every ExpressVPN subscription comes with a no-hassle 30 day money back guarantee. Get a full refund any time within 30 days. No sneaky terms and conditions. Just ask for a refund if you are not satisfied and you will get one!
In case the Hong Kong 3 server gets blocked again or is unavailable, the Hong Kong 5, Hong Kong 4, Taiwan 1, and Taiwan 2 servers also have premium routing to mainland China ISPs.
I have not tried this one yet, but several people have suggested it. They offer China Telecom CN2 servers hosted in Los Angeles.
USA CN2 servers are not as fast as Asian CN2, but it should be faster than Vultr and other providers.
Currently, there is a promotion on the Los Angeles CN2 location with 500GB data for only $29.99 per year.
The special China Telecom CN2 servers are only offered though this page. The servers offered from the regular homepage are not the CN2 ones.
After using the above link, find the special called SPECIAL 10G KVM PROMO V3 - LOS ANGELES - CN2.
When you check out, make sure the location is US - Los Angeles DC3 CN2 (USCA_3). There is another promo package for $19.99 per year but this is not the CN2 location.
I heard rumors that Bandwagon Host does support a limited number of IP address changes if your server gets blocked. I have sent a request asking for details about this and I will update here when I get the official answer about this.
Update: Here is the answer from Bandwagon Host regarding the IP address changing policy.
James: What is your policy for changing IP addresses if the IP gets blocked by China GFW? Your TOS mentions something about a fee for changing IP but doesn't say how much the fee is.
Bandwagon Host: We change this policy and fees from time to time. We guide customers through the process of changing IP when the need arises (be it free replacement or not). Usually the fee to replace IP is between $2 and $20.
James: What is the current policy right now? Between $2 to $20 is a very big range. Can you provide more information about this?
Bandwagon Host: I am very sorry, but we are not able to provide any more assistance on these questions.
It seems they don't want to answer my questions about this.
If anyone has first-hand experience on this issue, please leave a comment.
Unlike Vultr and Rackspace, I believe Bandwagon Host counts the data allowance as INPUT + OUTPUT. With a proxy server, the data input and output should be the same. This means that 500GB from Bandwagon Host is is actually only 250GB.
Vultr, Rackspace, and Aliyun only count OUTPUT data so you get the full amount of data that they advertise).
I'm going to move the Aliyun information to a new page because Aliyun is very complicated and this page is already long enough.
I don't know much about these ones except that they are popular choices for Shadowsocks users in China. I will just leave the links here and you can do your own research. Be sure to leave a comment if you have tried any of these.
Kdatacenter - Premium South Korea VPS (recommended if you are near Shanghai)
Gigsgigscloud - Variety of different Hong Kong and USA servers
Before we get started, it's a good idea to do some network analysis to find the best Vultr server location for your Shadowsocks server.
Using the hostnames below, send a ping command to each server to check the latency to your location. Remember to turn off any existing VPN connections, because we want to check the latency between your ISP and the Vultr servers.
The locations shown in bold have the best routing to China Telecom.
|Silicon Valley, California||sjo-ca-us-ping.vultr.com|
|Los Angeles, California||lax-ca-us-ping.vultr.com|
|New York (NJ)||nj-us-ping.vultr.com|
If you are using Windows, you can download my Vultr ping script to automatically ping all of Vultr servers.
I have identified 4 servers that have a decent ping time to my China Telecom connection.
Now, I will analyze these servers using WinMTR to monitor the latency and packet loss over the next hour. You can skip this step, it's not strictly required, but I recommend doing it.
Look at the packet loss and average ping time for each server and choose the best one, or choose a few of them.
I am going try a Tokyo server (14% packet loss, 122ms average ping) and a Los Angeles server (1% packet loss, 179ms average ping).
To avoid confusion, I will just show the instructions for setting up 1 of the servers, although I am actually doing both at the same time.
The first step is to go to Vultr and create an account if you don't already have one. You will need to fund your account with a minimum $5 deposit using PayPal or verify a valid credit card.
When I first signed up, I used my Chinese credit card and I was asked to verify my identity by sending them a copy of my passport and the credit card I used. I suspect that they asked for this because I was connected to a VPN when I added my credit card and the IP address did not match the country of my credit card.
I recommend turning off your VPN if you are using a Chinese credit card or Chinese PayPal account to avoid this fraud detection. If you are are using an overseas credit card, you may want to connect to a VPN in the same country as your credit card, or turn your VPN off. I'm not sure which option is better in this case.
Although Vultr offers WeChat payments, this won't work for you unless you have a Chinese ID card (only Chinese citizens can use WeChat and Alipay for merchants outside of China).
Once your account is funded/verified then you can deploy a new instance (VPS).
Choose your location.
Choose the server type (OS). For this tutorial, I am using Ubuntu 18.04 x64.
Choose the server size, the $3.50/month ($0.005/hr) with 20GB, 512MB memory, and 500GB data, is all you need for a personal shadowsocks server.
Choosing a more expensive instance will not increase the performance of your server. The only reason to choose more expensive instance is if you need more than 500GB of data per month.
Leave everything else as default until section 7, do not enable IPv6 (untick it if it's selected).
Now enter a hostname, you can put anything. I entered tokyo.com for my hostname. As we are not using our VPS to host a website, it doesn't matter what you put here. You can also leave it blank with Vultr but some other VPS providers will require you to enter something here.
Press Deploy Now to deploy the VPS.
Wait until your VPS is finished installing and the status changes to "Running". Then, click on the server to open the server details.
We will need the IP address and password to log into our server by SSH.
The first thing I do after deploying a new VPS is look up the IP address in a geo-location database to see if it shows the correct location. Many Vultr Asian servers are incorrectly geo-located in the USA. If the IP address is not showing the correct location, then I will just destroy the instance and deploy a new one (remember, it only costs $0.01 if you destroy an instance within the first few hours).
Using a shadowsocks server with an IP address with the wrong geo-location can be annoying. You will need to manually choose the correct server when doing a speed test, Google will think you are in the wrong country, etc.
After looking up the IP address, I can see that it is correctly listed as Tokyo.
Ok, time to connect to our server using SSH.
If you are using Mac, you can use the Terminal program to start an SSH session with your server.
Open Terminal and enter the following command (Mac users only):
If you are using Putty for Windows, enter the IP address of your Vultr server and press open to connect to it. Leave all of the settings as default. You can save the session so you don't need to enter the IP address next time, I saved the settings as "Vultr Tokyo".
Accept the security warning and then login as root and enter the password from the Vultr server management page.
Tip - To paste text from the clipboard using Putty, simply press the right mouse button once and whatever is in the clipboard will get pasted. When typing or pasting your password, you won't see anything on the screen. Just press enter after you have typed it or pasted it by single clicking the right mouse button.
If your SSH connection is not successful, wait a few more minutes and try again. When you first create a server, it can take up to 5 minutes until it's ready to use.
If you still can't connect after your server is ready, that means your IP address is blocked by the Great Firewall of China (probably due to the person who used that IP address before you).
This can be confirmed by connecting to a VPN to see if you can connect.
If your IP is blocked, then destroy your instance and make a new one.
Once you have a good IP address that is not blocked and you are logged in successfully, your screen should look like this.
After you enter the command, press enter to execute it.
When executing this first commend, you may get a message that says something like this:
"A new version of configuration file /etc/default/grub is available, but the version installed currently has been locally modified. What do you want to do about modified configuration file grub?"
You can just press enter to keep the default option of using the current one.
Now, let's install shadowsocks on the server. There are many different versions of shadowsocks and many different ways to install them. I am going to install ShadowsocksR (SSR) using an installation script from GitHub user teddysun.
Teddysun has made some great scripts that make it very easy to install different versions of shadowsocks and other linux applications.
There used to be a donation page (https://teddysun.com/donate) where you could send a donation to Teddy Sun by WeChat or Alipay to support his good work. However, that link is now dead and I can't find any similar page on his website now. If anyone knows how to support the work of Teddy Sun, please let me know what link I can include here.
Enter the following 3 commands to download the run the SSR installation script.
wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocksR.sh
Note - The above command is shown on 2 lines because it's too long. Make sure you copy the full command starting with wget and ending with shadowsocksR.sh
chmod +x shadowsocksR.sh
./shadowsocksR.sh 2>&1 | tee shadowsocksR.log
Enter the parameters that you want to use for your server. Here is what I am using for this tutorial. You can always change these settings later if you want so don't think about it too much.
After you enter all of the settings, press any key to start the installation. It will take about 5 minutes.
If you want to make any changes to the configuration, enter the command below to edit the server config file.
Press Ctrl + X to exit. When asked to save the modified buffer, press the y key once and then press enter to keep the same file name.
Every time you make changes to this file, you need to restart shadowsocks so the changes will take effect. Restart shadowsocks using the command below (if you have changed the config file).
The server is already running, you can download a shadowsocks client and try it now.
The standard Shadowsocks (SS) client is no longer stable in China. I recommend using the ShadowsocksR (SSR) client if you are in China.
iOS Potatso Lite (FREE)
iOS Shadowrocket ($2.99)
Shadowsocks for Windows (not recommended for China)
Shadowsocks for Android (not recommended for China)
For iOS, I highly recommend paying $2.99 for Shadowrocket because WhatsApp calls and other VoIP applications don't work with Potatso Lite or any other iOS app. Shadowrocket is the only stable Shadowsocks client for iOS that will tunnel VoIP through the proxy, so it's definitely worth the price for it.
Apple has removed all VPN and Shadowsocks apps from the China version of the app store. If your iTunes account is registered with a Chinese address, you need to create a new iTunes account with a foreign address to download these apps.
The original version is called Shadowsocks (SS). ShadowsocksR (SSR) is a newer version that supports obfuscation, which can make your shadowsocks traffic look more like regular https web traffic. This can prevent your speed from getting throttled by your network or ISP.
The server that we just made is compatible with both SS and SSR clients (if you chose the same parameters as me when creating your server).
All of the clients are a little bit different, but basically you need to enter the following settings (assuming you chose the same options as me).
Server - The IP address of your server
Port - 443
Password - testing (or whatever password you chose)
Encryption - chacha20
Protocol - origin (this option is only available for SSR clients)
Obfs - http_simple for obfuscation or plain for no obfuscation (this option is only available in SSR clients)
If there are any other options, leave them as default. Do not enable onetime authentication.
You need to be careful with these settings. If you don't get it exactly right, then it will seem like the proxy is connected, but you won't have any connection to the internet. Unlike a VPN, you cannot easily tell if the proxy is actually connected successfully or not.
Here are my settings using the SSR Windows client.
The way that you enable the system proxy will depend on the version of the client you are using.
Using the SSR Windows client:
Enable the proxy by choosing Mode --> Global or Mode --> PAC.
Disable the proxy by choosing Mode --> disable system proxy.
TIP - Make sure you remember to disable the system proxy before you exit the client or shut down your computer. Otherwise, you will find that you have no internet at all. To solve this problem, just open the shadowsocks client and disable the system proxy.
Global will route all domains through the proxy, while PAC will only use the proxy for a specific list of blocked websites such as Google, Facebook, etc and use your ISP connection for everything else. Not every blocked website is part of this PAC list. And even foreign websites that are not blocked are very slow if not using a proxy or VPN.
For this reason, I recommend using the Global mode. It's easy enough to enable/disable that you can conveniently switch it off if you need to access some Chinese websites.
You can also can choose the "Bypass LAN & China" proxy rule to automatically bypass the proxy when connecting to websites or servers in China. This will only bypass the proxy for known China IP addresses and use the proxy for everything else (assuming you are in Global Mode).
Once you have enabled the system proxy using the client, most browsers and applications should work by default. Chrome and IE, for example, will use the system proxy settings (unless you have an extension installed that is controlling the proxy settings).
Other browsers or programs, such as Firefox, may need to be set manually to use the system proxy or use a SOCKS5 proxy on server 127.0.0.1 port 1080 (port 1086 for Mac). The proxy settings can usually be found in the advanced settings for most applications.
Proxies will not work for all programs and all types of web traffic. Sometimes you need to use a VPN for certain things. It is also possible to tunnel a VPN connection over shadowsocks for better VPN performance.
Let's check the performance of my Tokyo and Los Angeles servers.
Both servers are working but the speed is not great.
When testing the speed of shadowsocks, you must remember use an html5 speed test such as beta.speedtest.net because all proxies will bypass Adobe Flash and you will only test your connection without the proxy if you use speedtest.net or other Flash based speed tests.
Install Google BBR and Optimize the Server
Google BBR is a TCP congestion control algorithm that can give a huge speed boost on networks with high packet loss (basically all of the networks in/out of China).
October 2018 Update - As Google BBR is now included by default with Ubuntu 18.04, you can skip this step.
To confirm whether Google BBR is already installed, enter the following command.
lsmod | grep bbr
If you see a text output from this command with the words "tcp_bbr" and a number beside it, then you already have BBR. You can skip the next command.
If you are using an older version of Ubuntu or don't have BBR installed, then install it using the command below (another great script from Teddy Sun).
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh && chmod +x bbr.sh && ./bbr.sh
If you have an incompatible kernel, you will be asked to reboot your server after the kernel is changed. You will need to re-connect using Putty after rebooting.
You can confirm that the installation was successful by using the "lsmod | grep bbr" command again.
Now that bbr is installed, we just have a few more settings to optimize.
Next, change the kernel configuration settings.
Add the following lines at the bottom of the file after the net.ipv4.tcp_congestion_control = bbr line.
fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.
Apply the new settings by entering the command below.
Let's make a few more optimisations.
Add these lines to the bottom of the file, include the * symbol.
* soft nofile 51200
* hard nofile 51200
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.
Next, enter this command.
Add the following line at the end of the file.
session required pam_limits.so
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.
Add the following line at the end of the file.
ulimit -n 51200
Finally, type the command below.
ulimit -n 51200
Restart the shadowsocks server again.
The optimizations are finished!
I can see a big improvement in the speeds after the optimizations.
The speed is between 10 times and 25 times faster now!
The speed test was done at 11pm, the speed will be even faster during non-peak hours.
Speed test the following morning...
Warning! Make sure you only share your server with friends or people who you trust because you will be responsible for any illegal activities originating from the IP address of your server.
The easiest way to share you server is to simply tell your friends the port number and password of your server. Everyone can use port 443 with the same password, there is no limit to how many simultaneous connections can be made.
However, if you want to give each user their own unique port number and password, you can edit the shadowsocks.json file.
Delete all of the contents of the file and then paste the contents below (using your own combination of port numbers and passwords that you wish to use).
The above configuration is just an example, you can use whatever ports and passwords you want.
Don't forget to restart shadowsocks after you make changes to the config file.
There is probably a much better way to do this, but this is the method I found.
This is a quick and easy way to get this job done but it has a major flaw. If your VPS is rebooted, then the data counters will be cleared. Theoretically, there should be some way to save the byte counters and restore them after a reboot. Or, there is probably is a better way to do it altogether, but I don't know any such method so I will just show you what I know.
If you know of a better way to do this then get in touch with me by email and let me know your method so I can update this page.
In this example, I will add firewall rules to limit the data transferred on each port. I will add a data limit of 50GB for port 443 and 10GB for each of the other ports I have set up.
Enter the following commands (using the port numbers which you have configured with the data limit in bytes that you want to set).
sudo iptables -I OUTPUT -p tcp --sport 443 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 443 -m quota --quota 50000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 1194 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 1194 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8000 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8000 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8383 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8383 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8384 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8384 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3000 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3000 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3001 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3001 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3002 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3002 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3003 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3003 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3004 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3004 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3005 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3005 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3006 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3006 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3007 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3007 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3008 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3008 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3009 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3009 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3010 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3010 -m quota --quota 10000000000 -j ACCEPT
To check the firewall rules and how much data has been used by each user/port, enter this command.
Note - Adjust the width of the Putty or terminal window before entering this command because the default width is not enough to show the output correctly.
sudo iptables -nvL -t filter --line-numbers
Use the scrollbar on the right of the Putty windows to scroll up and see the OUTPUT chain.
In this example, I have added 32 new firewall rules to the top of the OUTPUT chain. The output of the OUTPUT chain of the above command should look like this (2 rules for each port).
Make note of the first column (chain number) for each line. The chain number will be used in some of the commands below.
As you can see, I have used 24MB of data on port 3000 and 56MB of data on port 443 since adding these firewall rules. Once the quota has been used up (50GB for port 443, 10GB for all other ports in my example) for a specific port, then the proxy will stop working for the user/users of that port (until you reset the counter or reboot the server).
To clear the data counters for all users/ports, enter this command.
sudo iptables -Z OUTPUT
To clear the counter for a specific user, enter this command.
sudo iptables -Z OUTPUT #chain number
#chain number = The number shown first column when you use the "sudo iptables -nvL -t filter --line-numbers" command shown above.
For example, to clear the byte counter for port 443, this is the command.
sudo iptables -Z OUTPUT 31
Now the data counter for port 443 has been reset to 0.
To delete the firewall rules for a specific port, first note the 2 chain numbers related to port you want to delete. For example, to remove the data limit for port 3000, we need to delete chain numbers 21-22.
sudo iptables -D OUTPUT 21
sudo iptables -D OUTPUT 21
Note - The above commands are not a mistake, you enter the same command twice. After you delete chain #21 then all of the chains below it will shift up. Chain #22 becomes chain #21, #23 becomes #22, so on and so fourth.
To make these firewall rules persistent after a reboot, use the following commands.
Note - The data counters will still be reset to zero after a reboot, only the rules themselves will be persistent.
sudo apt-get install iptables-persistent
sudo invoke-rc.d iptables-persistent save
This is the end of the bonus section for now. Maybe it will be updated to include more later on...
If you liked this tutorial, please share it using the buttons below!